add longhorn oauth2 proxy

2025-03-20 01:10:09 +01:00
parent 012f70811f
commit 35af177b45
4 changed files with 91 additions and 0 deletions
--- a/deploy/longhorn/kustomization.yaml
+++ b/deploy/longhorn/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - longhorn-ingress.yaml
+  - oauth2-proxy-longhorn-svc.yaml
+  - oauth2-proxy-longhorn.yaml
--- a/deploy/longhorn/longhorn-ingress.yaml
+++ b/deploy/longhorn/longhorn-ingress.yaml
@@ -0,0 +1,33 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ingress
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/auth-url: "https://longhorn.panic.haus/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://longhorn.panic.haus/oauth2/start?rd=$scheme://$host$request_uri"
+spec:
+  tls:
+  - hosts:
+    - longhorn.panic.haus
+    secretName: longhorn-tls
+  rules:
+  - host: longhorn.panic.haus
+    http:
+      paths:
+      - path: /oauth2
+        pathType: Prefix
+        backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: longhorn-frontend
+            port:
+              number: 80
--- a/deploy/longhorn/oauth2-proxy-longhorn-svc.yaml
+++ b/deploy/longhorn/oauth2-proxy-longhorn-svc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy-longhorn
+  namespace: longhorn-system
+spec:
+  ports:
+  - port: 4180
+    targetPort: 4180
+    protocol: TCP
+    name: http
+  selector:
+    app: oauth2-proxy-longhorn
--- a/deploy/longhorn/oauth2-proxy-longhorn.yaml
+++ b/deploy/longhorn/oauth2-proxy-longhorn.yaml
@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy-longhorn
+  namespace: longhorn-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy-longhorn
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy-longhorn
+    spec:
+      containers:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+        args:
+          - --provider=keycloak
+          - --client-id=longhorn
+          - --client-secret=0U2QuP1QMAXln8bzwJ3aJMIvaH9t2QvJ
+          - --cookie-secret=lDE7du7SlDuG1UySIZUhcHfuk5HlgFlgDWdHD_PQ9UI=
+          - --oidc-issuer-url=https://sso.beatrice.wtf/realms/panic-haus
+          - --cookie-domain=longhorn.panic.haus
+          - --email-domain=*
+          - --http-address=0.0.0.0:4180
+          - --redirect-url=https://longhorn.panic.haus/oauth2/callback
+          -  --upstream=http://longhorn-frontend.longhorn-system.svc.cluster.local:80
+          - --scope=openid
+          - --login-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/auth
+          - --validate-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/userinfo
+          - --redeem-url=https://sso.beatrice.wtf/realms/panic-haus/protocol/openid-connect/token
+          - --skip-auth-regex=^(?:https?:\/\/)?longhorn\.panic\.haus\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$|^\/(favicon\.ico|.*\.(?:js|css)(\.map)?)$
+        ports:
+          - name: http
+            containerPort: 4180
+            protocol: TCP